Wednesday, April 02, 2008

Automating malware analysis with Truman

Let me start by saying, I'm no malware analyst. I've done a little reversing with IDA Pro, but really only in class. However, during an incident investigation, I frequently come across an unknown Windows binary that is likely to be some sort of malware, and would really, really like to know what it does, and stat! I can do a few basic tests on the binary myself, like examining the strings for clues as to it's purpose, or maybe unpacking it if it's using some standard packer. For the most part, though, modern malware is too hard to get a good handle on quickly unless you're aces with a debugger.

A couple of years ago, though, Joe Stewart from LURQH (now SecureWorks) released an analysis framework just for folks like me. The Reusable Unknown Malware Analysis Net (TRUMAN) is a sandnet environment that allows the malware to run on a real Windows system attached to a protected network with a bunch of fake services, then collects data about the program's network traffic, files and registry entries created, and even captures RAM dumps of the infected system. The great thing about TRUMAN is that it not only makes it easy to collect this information, it automates most of the process of creating a secure baseline, analyzing changes against that, and restoring the baseline to the Windows system when it's all over.

The terrible thing about Truman though, is that it is quite a complex system, with a lot of moving parts. Which would be OK, except that it comes with almost no documentation. Seriously. None. There's an INSTALL file that gives a brief overview, but leaves out most of the important steps. Frankly, except for one Shmoocon presentation video, there's nothing on the Internet that really tells you what Truman is, how it works or how to go about installing and using it.

Until now!

I just added a TRUMAN page to the NSMWiki. This contains a lot of information, much more than would comfortably fit into a blog post. Most importantly, it contains a detailed step-by-step process for getting TRUMAN up and running with RHEL5 and Windows XP.

Using Truman, I can collect a substantial amount of information about how a suspicious binary acts when it runs, and do it in a matter of 20 or 30 minutes, rather than hours. Admittedly, it's not foolproof, but it should come in extremely handy next time I run across an unknown Trojan.

4 comments:

SHA-1 said...

David - Good stuff. Your wiki made the install process much easier. One question for you (and it may be a nuance of XP pre-SP2): get.bat successfully wgets my .exe and runs it, but hangs before the sleep command and thus never finishes. All commands in the get.bat run fine manually. Did you happen to have this issue at any point?

I am installing a new client with SP2 to see if that resolves the issue, although I don't see why it would.

Regards,

Ryan

David Bianco said...

SHA-1, I'm glad to know you found the wiki helpful. I see that you have made a few updates to it yourself, to clarify a few points. Thanks!

As for the hanging, I don't think I ever encountered that issue. However, if the downloaded program neglects to put itself into the background (like a good Windows binary will usually do), it can hang the script, as it will wait for the malware sample to exit. You can test this by runnng the sample from the command line and seeing if you ever get a prompt back. This is the only thing I can think of offhand that would cause the problem you're seeing.

user said...

Hello,

First I wanted to thank you for being the first to create a how-to on installing Truman, it's been very helpful. I was wondering if I could get some input as to what hardware you guys are using? Servers or desktops? Reason that I am asking is that I am having problems with Truman recognizing my NIC card, even after appending the entry for my corresponding NIC(tg3) which usually fails stating "device not found" I am guessing this is due to the old Kernel as mentioned in the WIKI. Not sure where to go from here which is why I am comtinplating on new hardware.

thanks again!

SHA-1 said...

For anyone who runs across this with questions like the one regarding HW... If you intend on using Truman as written years ago, you are going to have to use old HW or build new PXE images with the WIUL tools (http://www.wiul.org/?page=wiul-files). During a brief email back and forth with Chas Tomlin, he stated that there was intent to update to support kernel 2.6 and more modern hardware. My work could not wait, so I opted to use a mixture of clients using CoreRESTORE bridges and Windows SteadyState. CoreRESTORE bridges are preferable, but are hard to come by now and don't support SATA drives. This does not replace TRUMAN's ability to dd the drive, but there are plenty of other tools that can be used for similar "system state" analysis before rebooting to a clean OS.